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Abstract 

Recently, Zou et al. [Phys. Rev. A 82, 042325 (2010)] pointed out 
that two arbitrated quantum signature (AQS) schemes are not secure, 
because an arbitrator cannot arbitrate the dispute between two users when 
a receiver repudiates the integrity of a signature. By using a public board, 
they try to propose two AQS schemes to solve the problem. This work 
shows that the same security problem may exist in their schemes and 
also a malicious party can reveal the other party's secret key without 
being detected by using the Trojan-horse attacks. Accordingly, two basic 
properties of a quantum signature, i.e. unforgeability and undeniability, 
may not be satisfied in their scheme. 

Keywords: Quantum information; Quantum cryptography; Arbi- 
trated quantum signature. 



1 Introduction 

Quantum signature, which concerns about the authenticity and non-repudiation 

of quantum states on an insecure quantum channel [J [2], is one of the most 
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important researches in quantum cryptography. By exploiting the principles 
of quantum mechanics, e.g., no-cloning theory and measurement uncertainty, 
quantum signature can provide unconditional security. Two basic properties 
are required in a quantum signature [Ij : 

1. Unforgeability: Neither the signature verifier nor an attacker can forge a 
signature, or change or attach the content of a signature. The signature 
should not be reproduced by any other person. 

2. Undeniability: A signatory, Alice, who has sent the signature to the ver- 
ifier. Bob, cannot later deny having signed a signature. Moreover, the 
verifier Bob cannot deny the receipt of the signature. 

Quantum signature was first investigated by Gottesman and Chuang [3]. After 
that, a variety of quantum signature schemes have been proposed [TJ [31 21 [51 
[nilIllSlH[ini[ni[Il[Il[Ill- Zeng at al. ^ proposed an arbitrated quantum 
signature (AQS) scheme based on the correlation of GHZ states and quantum 
one-time pads. However, Curty et al. [6J pointed out that [IJ is not clearly 
described and the security statements claimed by the authors are incorrect. In 
the reply comment [7J, Zeng gave a more detailed presentation and proof to 
their original AQS scheme [1]. To improve the transmission efficiency and to 
reduce the implementation complexity of [1] [7] , Li et al. [8J proposed an AQS 
scheme using Bell states and claimed that their improvements can preserve the 
merits in the original scheme [2 [7] . 

In an AQS scheme, an arbitrator plays a crucial role. When a dispute arises 
between the users, the arbitrator should be able to arbitrate the dispute. The 
arbitrator should be able to solve a dispute when a receiver. Bob, repudiates the 
receipt of the signature, or in particular, the receiver repudiates the integrality 
of the signature, i.e.. Bob admits receiving a signature but denies the correctness 
of the signature. The dispute of the latter one implies the following three cases 
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(1) Bob told a lie; 

(2) The signatory Alice sent incorrect information to Bob; 

(3) An eavesdropper Eve disturbed the communications. 

Since the arbitrator in [TJ[71[S] cannot solve the dispute when Bob claims that the 
verification of a signature is not successful, Zou et al. [15J considered that these 
schemes are not valid because the security requirement of a quantum signature, 
i.e., the undeniability, is not satisfied. 

By using a public board, Zou et al. also proposed two AQS schemes to solve 
the problem. However, this study will point out that the same security problem 
may exist in their schemes. That is, when Bob announces that the verification is 
not successful, the arbitrator may not be able to distinguish which case described 
above has happened. Besides, this study also tries to investigate if a malicious 
signer, Alice, can reveal Bob's secret key without being detected by performing 
the Trojan- horse attacks [TBI I17| . 

The rest of this paper is organized as follows. Section 2 reviews Zou et al.'s 
schemes. Section 3 shows the problems with the schemes. Finally, Section 4 
concludes the result. 

2 Review of Zou et al.'s schemes 

Zou et al.'s AQS schemes [I5j are briefly explained in the following scenario. 
Alice, the message signatory, would like to sign a quantum message \P) to a 
signature verifier. Bob, via the assistance of an arbitrator, Trent. Suppose that 
Alice and Bob share a secret key K £ {0, 1}*, and the quantum message to be 
signed is \P) = |Pi)®|P2>®-®|fn), where \K\ > 2n, \P,) = a, |0) +/3, |1), and 
1 < i < n. In order to protect the quantum message, the quantum one-time-pad 
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encryption Ek |18| and the unitary transformation Mk used in the schemes are 
defined as follows. 

n 

MK(|P))=(g)af-af-«M^'.), (2) 

2=1 

where |Pj) and Ki denote the zth bit of \P) and K, and cr^ are the Pauli 
matrices, respectively. 

To prevent the integrality of a signature from being disavowed by Bob, Zou 
et al. proposed two AQS schemes: the AQS scheme using Bell states and the 
AQS without using entangled states, respectively. Their schemes are described 
as follows. 

2.1 Scheme 1: the AQS scheme using Bell states 

Suppose that Alice wants to sign an n-bit quantum message |P) to Bob. In 
order to perform the signature, three copies of |P) are necessary. The scheme 
proceeds as follows: 

Initializing phase: 

Step /I. The arbitrator Trent shares the secret keys Ka,Kb with Alice and 
Bob respectively through some unconditionally secure quantum key dis- 
tribution protocols. 

Step /2. Alice generates n Bell states, = (lOO)^^ + lll)^^), where 
I < i < n, and the subscripts A and B denote the 1** and the 2"'' particles 
of that Bell state, respectively. After that, Alice sends all B particles to 
Bob in a secure and authenticated way \JM \7U\ . 
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Signing phase 

Step SI. Alice chooses a random number r G {0, 1}^" to encrypt all |P)'s, i.e., 

\n = EA\p))- 

step 52. Alice generates \Sa) = Ek^ i\P'))- 

Step 5*3. Alice combines each |P/) and the Bell state to obtain a three-particle 
entangled state, 



where |<&pyi) , I'I'pa) ' I^pa)' ^^'^ I*pa) ^''^ ^^^^ states [21j. 

Step 5*4. Alice performs a Bell- measurement on each \(j>i) and obtains the 
measurement results \Ma) = {\M\) ,\mX) , . . . ,\M2)) , where |Mji) e 
- |*pa). . - |*pa) J- and 1 < i < n. 

Step 55. Alice sends 15) = (|P') , \Sa) , |Ma)) to Bob. 
Verification phase: 

Step VI. Bob encrypts \P') and |5y!i) with Kb and sends the quantum cipher- 
text \Yb) - EkA\P') , \Sa)) to Trent. 

Step V2. Trent decrypts |Yb) with Kb and obtains |P') and \Sa). Then he 
encrypts |P') with i^A and gets \St). If |5t) = |5a) [51[52], Trent sets 
the verification parameter V = 1; otherwise, V = 0. 

Step V3. Trent recovers |P') from \St). Then he encrypts |P') , \Sa) and 
with Kb and sends the quantum ciphertext \Yt) = -E/f^ d-F") i I'S'a) , ^) 
to Bob. 

Step V4. Bob decrypts IFt) and gets |P') , |5a), and V. li V ^ 0, Bob rejects 
the signature; otherwise. Bob continues to the next step. 



step V5. Based on Alice's measurement results Ma, Bob can obtain \Pg) from 
the B particles received from the Step 12 according to the principle of 
teleportation [8J. Then he compares \P^) with \P'). If = \P'), Bob 
informs Alice to publish r and proceeds to the next step; otherwise, he 
rejects the signature. 

Step V6. Alice publishes r on the public board. 

Step V7. Bob recovers \P) from \P') by r and holds {\Sa) , r) as Alice's signa- 
ture for the quantum message \P). 

2.2 Scheme 2: the AQS scheme without using entangled 
states 

Since the preparation, distribution, and storing of quantum entangled states are 
not easily implemented with today's technologies, Zou et al. also proposed an 
AQS scheme without using entangled states (Scheme 2) in the signing phase 
and the verifying phase. In order to prevent a signature from being disavowed 
by Bob, a public board is also used in the proposed scheme. The scheme is 
described as follows. 

Initializing phase: 

Step /I'. The arbitrator Trent shares the secret keys Kat,Kbt with Alice 
and Bob respectively through some unconditionally secure quantum key 
distribution protocols. Similarly, Alice shares a secret key, Kab, with 
Bob. 

Signing phase: 

Step 5*1'. Alice chooses a random number r e {0, 1}^" and then computes 
\P') = Er (|P)) and \Rab) = Mk^s where \P) is as defined before. 
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step S2'. Alice generates \Sa) = Ek^^ 

Step 53'. Alice generates 15) = Ek^b {\P') , \Rab) , \Sa)) as her signature and 
then sends it to Bob. 

Verification phase: 

Step VI'. Bob decrypts 15) with Kab and obtains |P') , \Rab) and \Sa). Then 
he generates |Yb) = Ekbt {\P') , \Sa)) and sends it to Trent. 

Step V2'. Trent decrypts \Yb) with Kbt and obtains \P') and \Sa)- 

Step V3'. Trent decrypts \Sa) with Kat to obtain \P^). If \P^) = \P'), he 
sets the verification parameter W = 1; otherwise, Vr = 0- Then Trent 
announces Vr on the pubUc board. If Vr = 1, he regenerates |Yb) and 
sends it back to Bob. 

Step V4'. If W = 0, Bob rejects the signature. For otherwise, he decrypts 
|Yb) with Kbt to obtain |P') and \Sa)- Then he computes |P^) = 
^Kab (I-^^s)) and compares it with \P'). If \P'g) = \P'), he sets the 
verification parameter Vb = 1; otherwise, Vb = 0. Bob announces Vb on 
the pubhc board. 

Step V5'. If Vb = 0, Alice and Trent abort the scheme; otherwise, Alice an- 
nounces r on the public board. 

Step V6'. Bob recovers |P) from \P') by r and holds {\Sa) ,r) as Alice's sig- 
nature for the quantum message \P). 

3 Problems to be discussed 

This section tries to investigate problems that could arise on Zou et al.'s schemes 
if precautions are not taken. We first discuss the deniable dilemma. Then, we 
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investigate the Trojan-horse attacks against the schemes. 



3.1 The deniable dilemma 

In Zou ct al.'s schemes, the signatory Ahcc uses a random number r to protect 
the quantum message \P) (i.e., |P') = Er {\P))) before signing it. After the ar- 
bitrator Trent's verification, Bob recovers \Pg) and compares it with |P'). Once 
Bob informs Ahce that |P^) = |P'), Ahce will publish r on the public board, 
which is assumed to be free from being blocked, injected or alternated. Finally, 
Bob recovers \P) from \P') by r and retains {\Sa) ,r) as Alice's signature. 

It appears that if Bob informs Alice to publish r on the public board, then 
he cannot disavow the integrality of the signature. Accordingly, Zou et al. con- 
sidered that the use of the public board can prevent the denial attack from Bob. 
However, if Bob claims that \P'g) ^ \P') in Step V5 (or Step V4' in Scheme 2), 
Trent cannot arbitrate the dispute between Alice and Bob because the following 
three cases are possible. (This is particularly serious, if the signature scenario 
occurs in an electronic block market, where Alice is a buyer and Bob, a block 
company.) 

1. Bob told a lie: In this case. Bob decides to forgo the recovery of the 
message |P) due to some unknown reasons; 

2. Alice sent incorrect information to Bob: In Step S3 of Scheme 1, Alice 
deliberately generated \(f>i) by another message P/^ with P/^ ^ |P/) or 
generated \S) = {\P') ,\Sa) ,\M'j^)) with \M'^) ^ \Ma) in Step S5. In 
Scheme 2, Alice intentionally sent \S) = Ek^b {\P') ; Rab^ , \Sa)^ with 

Rab) + \Rab) to Bob in Step S3'; 



3. Eve disturbed the communication. 

Apparently, when Bob claims that |P^) ^ |P'), Trent cannot solve the dispute. 
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Furthermore, as also pointed out in [TS], the signer, Alice, is able to publish an 
arbitrary r' r) in her favor without been verified, which is obviously against 
the requirement of a signature scheme. 

3.2 The Trojan-horse attack 

In Zou et al.'s schemes, there are two transmissions of the same quantum signals, 
i.e. first from Alice to Bob, and then from Bob to the arbitrator. Therefore, the 
malicious Alice can reveal Bob's secret key without being detected by performing 
the Trojan-horse attacks [inillT]. Similar to [S], there are two attack strategies 
in the Trojan-horse attacks: the invisible photon eavesdropping [16] and the 
delay photon eavesdropping |17| . The following will discuss the invisible photon 
eavesdropping (IPE) on Zou et al.'s schemes and show that Alice can obtain 
Bob's secret key without being detected. Note that, Alice can also use the delay 
photon eavesdropping to reveal Bob's secret key in the same way. 

In Scheme 1, in order to reveal Bob's secret key i^s, Alice can perform the 
IPE attack on the communications in Step 5*5 and Step VI as follows: 

Step S'5a. Alice first prepares a set of eavesdropping states, D* e |--i= (|00) + 
|, as invisible photons, where the subscripts d\ and d\ represent 
the I''* and 2""* photons uvD\l<i< n. For each state in \P') (or \Sa)), 
Alice inserts d\ as an invisible photon to that state and forms a new 
sequence \P'f' {\SaY^')- Then Alice sends \SY^' = {\P'f^ , \Sa) , 
to Bob. 

Step Via. Bob encrypts |P')''^ and \Sa) with Kb and sends the quantum ci- 
phertext {¥3)"^^' = EKs{\P'f' , \Sa)) to Trent. Before Trent receives the 
quantum ciphertext \Yb)'^^' , Alice captures dy from \Yb)'^^' and measures 
di'd2 together with the Bell measurement. According to the measuring 
result of d\,d\^ Alice can obtain Bob's secret key Kg~^'^\ 
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Note that, Alice can also use the similar ways mentioned above to obtain Bob's 
secret key Kbt in Scheme 2. Since both Scheme 1 and 2 are insecure to the 
Trojan-horse attacks, Bob can deny having verified a signature. Therefore, the 
basic properties of a quantum signature, i.e. unforgeability and undeniability, 
are not satisfied in their schemes. 

4 Conclusions 

This study has pointed out two security flaws in Zou et al.'s AQS schemes, in 
which the arbitrator cannot arbitrate the dispute between Alice and Bob when 
Bob claims failure in his verification. Besides, a malicious signer can obtain 
verifier's secret key by performing the Trojan-horse attacks. How to improve 
their AQS schemes to avoid the problems mentioned in this paper will be an 
interesting future research. 
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